This page contains a Flash digital edition of a book.
OPINION


PROTECTION beyond the pipeline Tim Arridge reports on cyber and insider threats to the oil & gas industry O


il and gas production is a risky business. Hazardous operating environments – often in isolated areas – and extremes of weather, together with the need to provide


an ‘always-on’ energy supply, present huge challenges to the industry. Production requires a large investment in money and manpower, and system failures can result in massive losses – not only to finances, but also to business reputation and even to life. Technological advances that allow more activity to be managed online might be expected to reduce these risks. Instead, the scale and complexity of cyber threats to online activities keeps growing. Whether hackers are targeting data and intellectual property, control and financial systems, or individuals’ and infrastructure security, every new cyber attack adds to the challenges faced by the oil & gas industry. Exploiting the many opportunities that new technologies present while mitigating the cyber threats that could harm your


6 www.engineerlive.com


organisation requires a balancing act worthy of tightrope daredevil, Blondin. Oil & gas companies are key targets for cyber attackers. Motivations may be political, such as the Operation Petrol cyber attack on the petroleum industry by hacktivists Anonymous in June 2014; or financial, as seen in the 2011 Night Dragon malware, which stole bidding plans and other proprietary information. Every area is potentially at risk – from workstations and servers, to industrial control systems and instrumentation. Large-scale attacks can have surprisingly small catalysts: the August 2012 Saudi Aramco incident, which affected over 30,000 workstations and forced the company to shut down all external network connections for a time, was allegedly introduced via a spear- phishing email. Some attacks are less intent on sabotage, and instead focus on espionage: in December 2014 Operation Cleaver hackers obtained sensitive data from a number of companies, including nine in the oil & gas field.


Perhaps, in an industry that deals with


life-threatening risks every day, there is a feeling that these ‘virtual’ attacks can’t be that much of a problem. But, with an ever-present terrorist threat, we have to recognise that oil & gas production forms an important part of the critical national infrastructure. For this reason alone, it is a target for attackers who will recognise and capitalise on any weak spots. Whether these vulnerabilities are found in current or legacy control and infrastructure systems, devices that access data and information, the supply chain, or an uninformed or coerced workforce, they can be used by criminals – with potentially devastating consequences to life, supply and business. Te benefits of automating and connecting systems are many – they can streamline production processes, reduce operational costs and provide monitoring information. But attacks on embedded and operational systems are growing, and as control and SCADA systems link to each other, to internal networks and to other


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52